Competitive comparison

Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you should consider. Read our detailed comparisons to learn more.

Featured upcoming events

About Vectra

Vectra is the world leader in applying artificial intelligence to detect and respond to cyberattacks in cloud, data center and enterprise infrastructures in real time, while empowering security analysts to perform conclusive incident investigations and AI-assisted threat hunting.

Comprehensive cyberattack detection and response is mandatory in today’s hostile data environments, and the stakes have never been higher. No other company comes close to Vectra in proactively hunting down cyberattackers and reducing business risk.

Our core team consists of threat researchers, white hats, data scientists, network security engineers, and UI designers. We constantly push the boundaries of what's possible to drive the next generation of security.

Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

The good, the bad and the anomaly

The security industry is rampant with vendors peddling anomaly detection as the cure all for cyber attacks. This is grossly misleading.

The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad – without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

Consider this: People do what it takes to get their jobs done – reading email while overseas on vacation, logging in at 3 a.m. when they wake up inspired, downloading new sets of files for a start-up project. Sometimes, this well-meaning behavior can appear suspicious.

At the same time, sophisticated cyber attackers are adept at mimicking accepted practices and blending in with normal behaviors. Consequently, anomaly detection vendors are more likely to flag good employees doing their jobs in slightly uncustomary ways than identifying and exposing an attacker.

Can you say “false positive?”

You can compare anomaly detection to the law-enforcement practice of stop-and-frisk. For example, back in 2015, 99.5% of stop-and-frisks of suspicious people in New York City turned up no gun. Tens of thousands of searches and only a handful of weapons.

To paraphrase one observation, stop-and-frisk makes up for its inaccuracy by being resource-intensive and inefficient. But contrast stop-and-frisk with T-ray detection, which unobtrusively and instantly detects a thermal image of a person. If there is a concealed weapon, T-ray will show a cold gun-shape in contrast to the warm body.

Vectra, on the other hand, is the T-ray, using AI to distinguish overly general and easily misleading anomalous behaviors from the salient, very specific identifiers of attacker behaviors.

Anomaly detection vendors require cybersecurity analysts to scrutinize every suspicious event, real or not. That approach is the antithesis of “where there’s smoke, there’s fire.” When it comes to anomalous behavior, there’s tons of smoke with no fire, and security analysts must chase after every wisp, burning-up time and money going after every false lead while remaining blind to the real threats.

Who has the time and money for that? And more importantly, who wants to risk their intellectual property and company reputation to such a flawed approach?

The inside job

The indicators for insider threats can be just as misleading. Yes, there have been some high-profile hacks that featured anomalous behavior, such as the reported leak of classified information by Edward Snowden.

But the clear majority of insider attacks were successful because they blended in with normal behaviors and were only discovered long after extensive damage was done.

In the fraudulent-account scandal at Wells Fargo, employees appeared to be doing their jobs – and doing them a bit ‘too well’ as it turned out. They knew and used the standard processes. They used their credentials appropriately. They didn’t overstep their access or authorization.

Advanced cyber attacks behave the same way. They blend in and unless the security team is focused on looking for attacker behaviors and not just generalized anomalies, they have no realistic chance of getting ahead of these attacks.

About the author

Hitesh Sheth

Hitesh Sheth is the president and CEO of Vectra. Previously, he held the position of chief operating officer at Aruba Networks. Hitesh joined Aruba from Juniper Networks, where he was EVP/GM for its switching business and before that, SVP for the Service Layer Technologies group, which included security. Prior to Juniper, he held a number of senior management positions in the switching organization at Cisco, including running its metro Ethernet business. Before Cisco, he held executive and engineering management positions at Liberate Technologies and Oracle Corporation. He started his career as a Unix programmer at the Santa Cruz Operation. Hitesh holds a BA degree in Computer Science from the University of Texas at Austin.